Results 1 - 10
of
16
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
- 30TH IEEE SYMPOSIUM ON SECURITY AND PRIVACY
, 2009
"... As social networking sites proliferate across the World Wide Web, complex user-created HTML content is rapidly becoming the norm rather than the exception. User-created web content is a notorious vector for cross-site scripting (XSS) attacks that target websites and confidential user data. In this t ..."
Abstract
-
Cited by 46 (2 self)
- Add to MetaCart
(Show Context)
As social networking sites proliferate across the World Wide Web, complex user-created HTML content is rapidly becoming the norm rather than the exception. User-created web content is a notorious vector for cross-site scripting (XSS) attacks that target websites and confidential user data. In this threat climate, mechanisms that render web applications immune to XSS attacks have been of recent research interest. A challenge for these security mechanisms is enabling web applications to accept complex HTML input from users, while disallowing malicious script content. This challenge is made difficult by anomalous web browser behaviors, which are often used as vectors for successful XSS attacks. Motivated by this problem, we present a new XSS defense strategy designed to be effective in widely deployed existing web browsers, despite anomalous browser behavior. Our approach seeks to minimize trust placed on browsers for interpreting untrusted content. We implemented this approach in a tool called BLUEPRINT that was integrated with several popular web applications. We evaluated BLUEPRINT against a barrage of stress tests that demonstrate strong resistance to attacks, excellent compatibility with web browsers and reasonable performance overheads. 1.
Scriptless Attacks: Stealing the Pie Without Touching the Sill
- In Proceedings of the ACM Conference on Computer and Communications Security (CCS
, 2012
"... Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the security community members. In the same way, a plethora of more or less effective defense techniques have been proposed, ad-dressing the causes and effects of XSS vulnerabilities. As a r ..."
Abstract
-
Cited by 16 (2 self)
- Add to MetaCart
(Show Context)
Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the security community members. In the same way, a plethora of more or less effective defense techniques have been proposed, ad-dressing the causes and effects of XSS vulnerabilities. As a result, an adversary often can no longer inject or even execute arbitrary scripting code in several real-life scenarios. In this paper, we examine the attack surface that remains after XSS and similar scripting attacks are supposedly mit-igated by preventing an attacker from executing JavaScript code. We address the question of whether an attacker really needs JavaScript or similar functionality to perform attacks aiming for information theft. The surprising result is that an attacker can also abuse Cascading Style Sheets (CSS) in combination with other Web techniques like plain HTML, inactive SVG images or font files. Through several case studies, we introduce the so called scriptless attacks and demonstrate that an adversary might not need to execute code to preserve his ability to extract sensitive information from well protected websites. More precisely, we show that an attacker can use seemingly benign features to build side channel attacks that measure and exfiltrate almost arbitrary data displayed on a given website. We conclude this paper with a discussion of potential mit-igation techniques against this class of attacks. In addition, we have implemented a browser patch that enables a website to make a vital determination as to being loaded in a de-tached view or pop-up window. This approach proves useful for prevention of certain types of attacks we here discuss.
A survey on web application security
, 2011
"... Abstract—Web applications are one of the most prevalent platforms for information and services delivery over Internet today. As they are increasingly used for critical services, web applications become a popular and valuable target for security attacks. Although a large body of techniques have been ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
(Show Context)
Abstract—Web applications are one of the most prevalent platforms for information and services delivery over Internet today. As they are increasingly used for critical services, web applications become a popular and valuable target for security attacks. Although a large body of techniques have been developed to fortify web applications and and mitigate the attacks toward web applications, there is little effort devoted to drawing connections among these techniques and building a big picture of web application security research. This paper surveys the area of web application security, with the aim of systematizing the existing techniques into a big picture that promotes future research. We first present the unique aspects in the web application development which bring inherent challenges for building secure web applications. Then we identify three essential security properties that a web application should preserve: input validity, state integrity and logic correctness, and describe the corresponding vulnerabilities that violate these properties along with the attack vectors that exploit these vulnerabilities. We organize the existing research works on securing web applications into three categories based on their design philosophy: security by construction, security by verification and security by protection. Finally, we summarize the lessons learnt and discuss future research opportunities in this area. I.
Protection, Usability and Improvements in Reflected XSS Filters ∗
"... Due to the high popularity of Cross-Site Scripting (XSS) attacks, most major browsers now include or support filters to protect against reflected XSS attacks. Internet Explorer and Google Chrome provide built-in filters, while Firefox supports extensions that provide this functionality. In this pape ..."
Abstract
-
Cited by 4 (1 self)
- Add to MetaCart
(Show Context)
Due to the high popularity of Cross-Site Scripting (XSS) attacks, most major browsers now include or support filters to protect against reflected XSS attacks. Internet Explorer and Google Chrome provide built-in filters, while Firefox supports extensions that provide this functionality. In this paper, we analyze the two most popular open-source XSS filters, XSSAuditor for Google Chrome and NoScript for Firefox. We point out their weaknesses, and present a new browser-resident defense called XSSFilt. In contrast with previous browser defenses that were focused on the detection of whole new scripts, XSSFilt can also detect partial script injections, i.e., alterations of existing scripts by injecting malicious parameter values. Our evaluation shows that a significant fraction of sites vulnerable to reflected XSS can be exploited using partial injections. A second strength of XSSFilt is its use of approximate rather than exact string matching to detect reflected content, which makes it more robust for web sites that employ custom input sanitizations. We provide a detailed experimental evaluation to compare the three filters with respect to their usability and protection.
A Server Side Solution for Protection of Web Applications from Cross-Site Scripting Attacks
, 2013
"... Cross-Site scripting attacks occur when accessing information in intermediate trusted sites. Cross-Site Scripting (XSS) is one of the major problems of any Web application. Web browsers are used in the execution of commands in web pages to enable dynamic Web pages attackers to make use of this feat ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
Cross-Site scripting attacks occur when accessing information in intermediate trusted sites. Cross-Site Scripting (XSS) is one of the major problems of any Web application. Web browsers are used in the execution of commands in web pages to enable dynamic Web pages attackers to make use of this feature and to enforce the execution of malicious code in a user’s Web browser. This paper describes the possibilities to filter JavaScript in Web applications in server side protection. Server side solution effectively protects against information leakage from the user’s environment. Cross-Site scripting attacks are easy to execute, but difficult to detect and prevent. The flexibility of HTML encoding techniques, offers the attacker many possibilities for circumventing server-side input filters that should prevent malicious scripts from being injected into trusted sites. Cross site scripting (XSS) attacks are currently the most exploited security problems in modern web applications. These attacks make use of vulnerabilities in the code of web-applications, resulting in serious consequences, such as theft of cookies, passwords and other personal credentials. It is caused by scripts, which do not sanitize user input.
Model checking techniques for vulnerability analysis of Web applications
, 2013
"... Part of the Computer Sciences Commons This Dissertation is brought to you for free and open access by the Graduate College at Digital Repository @ Iowa State University. It has been accepted for inclusion in Graduate Theses and Dissertations by an authorized administrator of Digital Repository @ Iow ..."
Abstract
- Add to MetaCart
(Show Context)
Part of the Computer Sciences Commons This Dissertation is brought to you for free and open access by the Graduate College at Digital Repository @ Iowa State University. It has been accepted for inclusion in Graduate Theses and Dissertations by an authorized administrator of Digital Repository @ Iowa State University. For more information, please contact
doi:10.1093/comjnl/bxv072 Harvesting File Download Exploits in the Web: A Hacker’s View
, 2014
"... File download vulnerability, which exposes web servers ’ local filesystem to the public, is among the most serious security threats in the web. Exploiting this vulnerability will cause disastrous conse-quences such as, but not limited to, system intrusion, database intrusion and even the leakage of ..."
Abstract
- Add to MetaCart
(Show Context)
File download vulnerability, which exposes web servers ’ local filesystem to the public, is among the most serious security threats in the web. Exploiting this vulnerability will cause disastrous conse-quences such as, but not limited to, system intrusion, database intrusion and even the leakage of massive confidential documents. Although the file download vulnerability has been known in the literature for a long time, a comprehensive study of its exploitability in the wild is still lacked. In this paper, we survey the landscape of file download vulnerabilities across different countries and domains, and more importantly, examines their exploitability from a hacker’s perspective. We have successfully revealed the weak protection of this vulnerability in today’s web, as well as confirmed its wide exploitability. To demonstrate the serious consequences, we present two real-world intru-sion case studies. One is a system intrusion against a Chinese government website, and the other is a database intrusion targeted to a Chinese industrial service. Our intrusion cases have been confirmed as severe security events by CNCERT (an official security agency in China). At the end, we explore the root cause of this weak protection by analyzing the perils and pitfalls of existing defending solu-tions, and thereby propose a new enhancement. The basic idea is to deploy a mandatory access control mechanism in the server-side script engine kernel, so as to isolate the files managed by the web server
PROXY BASED SOLUTION FOR MITIGATING CROSS-SITE SCRIPTING ATTACK IN CLIENT SIDE IJCET © I A E M E
"... ABSTRACT The number and the importance of Web applications have increased rapidly over the last years. Along with the increased importance of Web applications, the negative impact of security flaws in such applications has grown as well. Cross-site scripting holes are web application vulnerabilitie ..."
Abstract
- Add to MetaCart
(Show Context)
ABSTRACT The number and the importance of Web applications have increased rapidly over the last years. Along with the increased importance of Web applications, the negative impact of security flaws in such applications has grown as well. Cross-site scripting holes are web application vulnerabilities that allow attackers to bypass client-side security mechanisms normally imposed on web content by modern browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection. In this paper, a proxy based solution is proposed for detecting and preventing cross-site scripting attacks in the client side without degrading the user's browsing experience and also provides additional security by making use of SSL support.
Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis
"... Abstract—Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and criticial vulnerabilities such as XSS and SQL injection are still common. As a consequence, much effort in the past decade ha ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract—Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and criticial vulnerabilities such as XSS and SQL injection are still common. As a consequence, much effort in the past decade has been spent on mitigating web application vulnerabilities. Current techniques focus mainly on sanitization: either on automated sanitization, the detection of missing sanitizers, the correctness of sanitizers, or the correct placement of sanitizers. However, these techniques are either not able to prevent new forms of input validation vulnerabilities such as HTTP Parameter Pollution, come with large runtime overhead, lack precision, or require significant modifications to the client and/or server infrastructure. In this paper, we present IPAAS, a novel technique for preventing the exploitation of XSS and SQL injection vulnerabilities based on automated data type detection of input parameters. IPAAS automatically and transparently augments otherwise insecure web application development environments with input validators that result in significant and tangible security improvements for real systems. We implemented IPAAS for PHP and evaluated it on five real-world web applications with known XSS and SQL injection vulnerabilities. Our evaluation demonstrates that IPAAS would have prevented 83 % of SQL injection vulnerabilities and 65 % of XSS vulnerabilities while incurring no developer burden. I.
Monitoring and Managing Cloud Computing Security using Denial of Service Bandwidth Allowance
"... Abstract — Over the next decade, cloud computing has a good chance of becoming a widely used technology. However, many challenges face the cloud to be overcome before the average user or business team will trust their vital information with a cloud server. Most of these challenges tie into developin ..."
Abstract
- Add to MetaCart
Abstract — Over the next decade, cloud computing has a good chance of becoming a widely used technology. However, many challenges face the cloud to be overcome before the average user or business team will trust their vital information with a cloud server. Most of these challenges tie into developing sound security measures for the cloud. One of the largest security obstacles is how to defend against a Denial-of-Service (DOS) or Distributed Denial-of-Service (DDOS) attacks from taking down a cloud server. DOS attacks are nothing new; many strategies have been proposed and tested against DOS attacks on networks. However, none have been able to completely prevent DOS attacks. The search continues for an effective solution to keep data available to legitimate users who need it when the cloud network that stores that data is the target of a DOS attack. The method proposed (DOSBAD) in this paper will explain how effectively detecting the bandwidth limit of a cloud network and the bandwidth currently in use to know when a DOS is beginning. Keywords- Cloud computing; Denial of service; Bandwidth I.
